[PATCH] krb5_get_init_creds_opt_get_error and krb5_copy_error
Guenther Deschner
gd at samba.org
Mon May 7 09:43:47 GMT 2007
Hello,
attached is a patch that adds two new krb5_* calls:
krb5_get_init_creds_opt_get_error() and krb5_copy_error(). These two
calls already exist in Heimdal Kerberos (since version 0.8).
The reason for adding these calls is to enable the caller to retrieve
the full krb5_error packet after a failed AS-REQ from a Windows KDC.
Windows KDCs add extended 32bit NTSTATUS codes into the krb5_error edata
as a KRB5_PADATA_PW_SALT. (see here:
http://marc.info/?l=samba-technical&m=114263219025559&w=2) to transport
more fine-grained error conditions (e.g. based on Windows account
restrictions).
Having access to these NTSTATUS codes is extremely valuable for Samba as
a krb5 client, notably for the error handling in the kerberized
pam_winbind module where it used currently when the system krb5 library
(currently only Heimdal > 0.8) offers it.
Can these calls be added to MIT kerberos? The patch is against MIT
kerberos 1.6.1 and has been valgrinded and tested on fedora core 6 x86_64.
Thanks,
Guenther
--
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner at redhat.com
Samba Team gd at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mit.diff
Type: text/x-patch
Size: 9235 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20070507/98890bc4/mit.bin
More information about the samba-technical
mailing list